#!/bin/bash

# 确保nftables服务启用
systemctl enable nftables
systemctl start nftables

# 创建配置文件
cat > /etc/nftables.conf <<EOF
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state established,related accept
        iif lo accept
        # 拒绝所有非lo接口的loopback流量
        ip daddr 127.0.0.0/8 iif != "lo" drop
        ip6 daddr ::1 iif != "lo" drop
        icmp type echo-request accept
        tcp dport 22 accept
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}
EOF

# 应用配置
nft -f /etc/nftables.conf

echo "nftables配置完成"
